<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Code Injection on Stacknoah</title>
    <link>https://stacknoah.com/writeup/wargame/code-injection/</link>
    <description>Recent content in Code Injection on Stacknoah</description>
    <generator>Hugo</generator>
    <language>ko-kr</language>
    <lastBuildDate>Mon, 13 Jul 2026 22:19:09 +0900</lastBuildDate>
    <atom:link href="https://stacknoah.com/writeup/wargame/code-injection/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Addition Calculator(DH, S3)</title>
      <link>https://stacknoah.com/writeup/wargame/code-injection/addition-calculator/</link>
      <pubDate>Tue, 07 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://stacknoah.com/writeup/wargame/code-injection/addition-calculator/</guid>
      <description>&lt;h2 id=&#34;tldr&#34;&gt;TL;DR&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;취약점: &lt;code&gt;/&lt;/code&gt; POST가 사용자 입력 &lt;code&gt;formula&lt;/code&gt;를 &lt;code&gt;eval()&lt;/code&gt;에 그대로 넘김 → 임의 파이썬 코드 실행(RCE). 유일한 방어막은 &lt;code&gt;filter()&lt;/code&gt; 하나임.&lt;/li&gt;
&lt;li&gt;트릭: 필터가 문자 화이트리스트(영문·숫자·공백·&lt;code&gt;. ( ) +&lt;/code&gt;)라 따옴표·언더스코어·대괄호·콤마가 전부 막힘 → 문자열 리터럴 불가. 허용 문자만으로 문자열을 합성하는 유일 수단이 &lt;code&gt;chr(n)+chr(n)+...&lt;/code&gt;임.&lt;/li&gt;
&lt;li&gt;페이로드: &lt;code&gt;open(chr(102)+chr(108)+chr(97)+chr(103)+chr(46)+chr(116)+chr(120)+chr(116)).read()&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;흐름&#34;&gt;흐름&lt;/h2&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;경로&lt;/th&gt;
          &lt;th&gt;입력&lt;/th&gt;
          &lt;th&gt;통제주체&lt;/th&gt;
          &lt;th&gt;역할&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;/ (GET)&lt;/td&gt;
          &lt;td&gt;-&lt;/td&gt;
          &lt;td&gt;-&lt;/td&gt;
          &lt;td&gt;입력 폼&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;/ (POST)&lt;/td&gt;
          &lt;td&gt;formula (form)&lt;/td&gt;
          &lt;td&gt;공격자&lt;/td&gt;
          &lt;td&gt;filter 통과 시 eval(formula) 실행 → 결과 렌더 → sink&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;flag.txt는 app.py와 같은 경로에 존재함.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
